Oct 18, 2007

Threat modeling in the business world

For a while now I've been trying to figure out the best fit of threat modeling in a microeconomic, business, non-security related setting. For those not familiar with the process, the SDL blog provides a nice article that explains it from a software point of view. Although threat modeling may seem like a self explanatory task, there are some specifics that need to be handled carefully for the model to be helpful. For instance, the classic STRIDE and CIA models are applicable when trying to protect company assets, information, and resources; but how does it fit from a pure business perspective where business development and operations management is the primary focus? Would there be a ranking according to which business risk can be identified? If so, how would that model look? Can there be standard approaches to mitigating certain types of business risk?

No comments: